What is the ISA 2006?

 

Microsoft Internet Acceleration and Security (ISA) Server 2006 (ISA 2006) is an highly  secure frontier that helps protect IT environments from Internet-based threats, while providing users fast and secure remote access to applications and data.

At NTSL, this is our recommended way to secure Microsoft Exchange messaging system, and extranet data publishing via Microsoft SharePoint. ISA 2006 plays the key role in your network defence!

 

ISA 2006 is an Internet and intranet strength full-scale firewall. It is not just a “Proxy server”; “security gateway” or “secure application publishing” solution, as it been promoted in various circles of consultants and marketers.


ISA Server 2006 is a multi-featured and multi-purpose product that can be deployed in a variety of ways to meet the unique requirements of virtually any organization. As an integrated firewall, Web proxy and VPN server and gateway, ISA Server 2006 can be configured to act in each of these roles or be set up to provide only a subset. This flexibility enables you to introduce ISA Server into your network with minimal disruption to your current infrastructure and provide the security services you need.

   

ISA Server is an NS9200 series security gateway appliance that you can deploy in your network environment, securing your core network applications and servers. ISA Server 2006 is essentially many products in one. In a single software package, you get:

 

1.     A network layer firewall

2.     An application layer inspection security gateway

3.     Forward and reverse Web proxy and caching server

4.     Remote access VPN server

5.     Site to site VPN gateway

 

A Network Layer Firewall

 

ISA Server 2006, like Check Point NG and the Cisco PIX/ASA firewall product lines, is a stateful packet inspection firewall. A stateful packet inspection firewall is able to look at the IP (Internet Protocol) information and make sure that attackers don’t take advantage of inherent security vulnerabilities at the network layer. ISA 2006 is able to check and prevent prevalent network layer attacks so that attackers on the Internet, or even in your own organization, are not able to disable or take over the ISA 2006 firewall.

 

Stateful packet inspection firewalls were state of the art in the 1990s. However, the threat landscape has changed significantly since that time. While malicious users at the end of the 20th century were interested in disabling the firewall and defacing Web sites for personal ego gratification, modern day hackers are more interested in obtaining or destroying corporate information for personal gain. Today’s network criminal is not interested in attacking the firewall or defacing a Web server; he is more interested in “going under the radar” to steal, change, or destroy data.

 

Application Layer Inspection Security Gateway


Stateful packet inspection firewalls are unable to determine if there is an attack against a Web server, mail server, FTP server or any other kind of network application. All the stateful packet inspection-only firewall can do is protect you against simple network layer attacks. For this reason, an application layer inspection firewall or security gateway is required.


 After ISA Server 2000 was released in December 2000, it quickly became the thought leader in application layer inspection space. Prior to the release of ISA Server 2000, the Gold Standard for firewalls was the Cisco PIX. The PIX was a simple stateful packet inspection firewall and could not protect networks against complex application layer attacks that modern hackers were using to steal, change and destroy corporate data.


ISA 2006 continues in the tradition of ISA Server as the leading edge application layer inspection firewall and security gateway. In fact, you’ll see ISA Server described as a “secure gateway” instead of a firewall, because the term firewall is losing its lustre due to its heritage as a stateful packet inspection-only device. The ISA 2006 firewall takes both stateful packet inspection and application layer inspection and combines them into a powerful network security gateway solution.

 

Forward and Reverse Web Proxy and Caching Server

 

A Web proxy server is a machine that accepts Web connections from Web browsers and other Web enabled applications and forwards those connections to the destination Web server on the behalf of the user making the request. The Web proxy server can accept connections from users on your corporate network and forward them to an Internet Web server or it can accept incoming connections to Web servers and services on your corporate network and forward them to company servers.

When the ISA Server 2006 firewall acts as a Web proxy server, it has full knowledge of the communications being made through it. This enables the ISA firewall’s Web proxy services to provide a significant level of security for Web connections and protects your network from viruses, worms, hacking attempts and more, including identifying and authorizing users before allowing Web connections through the ISA firewall and Web proxy and caching server.


 When the ISA firewall’s Web proxy service intercepts Web connections, it can perform many security checks to protect your network. Some of these include:

  1.          Pre-authenticating the user at the ISA firewall and Web proxy and caching server for incoming connections to corporate Web and mail servers. When pre-authentication is enforced by the ISA firewall, it prevents anonymous users on the Internet from connecting to your corporate assets. Since attackers don’t have access to legitimate user credentials, they are unable to attack your Web servers

  2.          Transparently authenticate users on the corporate network before their connections are allowed to the Internet. This allows the ISA Server to record the user names for all connections made through the ISA firewall and includes this information in logs and reports for forensics and regulatory purposes

  3.          Perform deep application layer inspection on all the Web connections made through the ISA firewall using ISA’s HTTP Security Filter. This application layer inspection filter enables the ISA firewall to “scrub” Web sessions to make sure suspicious and potentially dangerous HTTP commands and data do not compromise your network

  4.          Control what Web sites users are allowed to access, the time of day the users are able to connect, and even control the types of information users can download from the Web. For example, you can use the ISA firewall’s Web proxy features to block access to executable files, streaming media, and documents, such as Microsoft Word files

  5.          Cache information requested by users to accelerate the Internet experience. When a user on the corporate network requests a Web page, ISA 2006 places that Web page in its Web cache. The ISA firewall stores that information and when another user makes a request for the same Web page, the Web page is returned to the user from the Web cache. This removes the requirement of having to connect to the Internet Web server to retrieve the same page again and reduces the amount of bandwidth needed on the Internet connection and provides users much faster access to the information.

 

This is just a short list of what the ISA 2006 Web proxy and caching component can do for your company.

 

Remote Access VPN Server

 

An increasing number of employees need access to information contained on the corporate network when they’re out of the office. Employees need to access Word documents, PowerPoint files, databases and more when on the road or when working from home. Even more important to business continuity is the ability to provide off-site workers access to corporate information in the event of an emergency, when workers might not be able to leave their homes. One of the most secure ways you can provide employees access to this information is by using a remote access VPN server.


 A VPN (virtual private networking) server allows users outside the office to connect to the corporate network from a laptop or workstation from anywhere in the world. Once the user creates the secure VPN connection, that user’s computer is like a computer located at the office and can potentially access information from any server within the corporate network.


One of the drawbacks of traditional VPN solutions sold by major VPN server vendors is that once the user connects to the VPN server, that user has access to any resource on the corporate network. The problem with this is that the computers remote access users used to connect to the corporate network are typically not managed machines and therefore are at a higher liability for worm, virus and trojan infection.


The ISA Server 2006 plugs this security hole found in typical “hardware” VPN servers using three powerful methods:

 

  1.          Strong user/group-based access control and least privilege access for remote access VPN connections

  2.          Application layer inspection on all remote access VPN connections

  3.          ISA 2006 VPN Quarantine Control

 

Strong User/Group based Access and Least Privilege for Remote Access VPN Connections

 

ISA 2006 allows you to control user access based on the user account or the users group membership. Access policy is enforced on the user so that, in contrast to traditional “hardware” VPN servers, users are allowed access only to applications the user is given permission to use and no more. VPN users aren’t allowed free access to the entirety of the corporate network – only to resources they require to get their work done

 

Application Layer Inspection on all Remote Access VPN Connections

 

Survivors of the Blaster worm might recall that they had a false sense of security when they configured their Internet firewalls to block the worm from gaining entry to their network from the Internet. These companies were still infected by Blaster, not from the Internet, but from VPN users. These companies used traditional “hardware” remote access VPN servers that could not perform application layer inspection on the VPN users.


 

In contrast to the traditional remote access VPN server, ISA 2006 performs both stateful packet and application layer inspection on all traffic moving over the VPN link. Worms like Blaster cannot infect the corporate network over ISA 2006 VPN connection because the ISA firewall’s smart RPC application layer inspection filter blocks the worm traffic. This ability to inspect application traffic enables the ISA firewall to protect you against compromised VPN client computers in the same way that it protects you from Internet based exploits.

 

ISA Server 2006 VPN Quarantine Control

 

For a comprehensive remote access VPN client defence in depth solution, the remote access VPN server should be able to pre-qualify the security status and general system health of the machine connecting through the remote access VPN link. This enables you to be more confident that even unmanaged machines meet minimal security configuration requirements before being allowed to connect to the corporate network.

 

ISA Server 2006 solves this problem by implementing Remote Access VPN Quarantine (VPN-Q). The VPN-Q feature allows you to configure a set of parameters that the VPN client systems must meet before being allowed to access resources on the corporate network. If the VPN client system is not able to pass these security and health checks, you can configure the VPN-Q feature to automatically update and configure the VPN clients so that they pass inspection and then allow them into the system. If the VPN clients are unable to be completely updated, then the connection is dropped. This protects your company from fatally flawed and compromised computers that could attack and destroy your company’s core information assets.


Site to Site VPN Gateway

 

We all hope that our companies grow large enough to require branch offices. But with the expansion into branch offices is the increased complexity and expense required to connect those branch offices to the main office network’s resources.

There are a number of options available to provide branch office connectivity to the main office, these include:

  1.          Dedicated WAN links provided by telco providers

  2.          Managed VPN networks provided by telco providers and ISPs

  3.          Corporate managed VPN site to site VPN networks terminated at company VPN gateways

  4.          Limited connectivity via “publishing” of corporate resources


Dedicated WAN links and managed VPNs are a good solution for companies who are immune from cost considerations. These options can be prohibitively expensive and organizations who are interested in cost-control prefer to use corporate managed site to site VPN connections between corporate managed VPN gateways.

A VPN gateway allows you to connect your main office to all of your branch offices over inexpensive Internet connections and do so in a secure fashion. Each ISA firewall and security gateway, at the branch offices and the main office, enforce strong stateful packet and application layer inspection over the information moving over the site to site VPN links. In addition, all connections made by branch office users is logged and recorded so that you have a comprehensive history of what users at the branch offices have been doing with main office resources.


The ISA 2006 site to site VPN feature set is an integral part of the ISA 2006 branch office gateway role.

 

 

 

We can help you with your ISA deployment.

 

Contact us Today

 

1 321 766 6928

 

Info@ntsl.com            www.ntsl.com

 

 

Advancing IT Solutions since 1994

 

 

© 2010  NTSL Inc.        Privacy     Terms & Conditions